In early November 2021, readers inquired about a rumor that suggested to "delete Google Chrome" from Android phones over "security issues," privacy concerns, and accelerometer data, which referred to the device's motion sensors.
But unless an Android phone has been "rooted" by an advanced user, the Chrome app cannot be deleted. It can only be disabled.
The Origins
"Delete Google Chrome" has trended in the past because of other purported issues, but in this specific case, we tracked the rumor to a Nov. 6 story from The Sun. This led us to another article from the same day from Forbes. The Forbes story advised readers with the headline, "Why You Should Delete Google Chrome On Your Phone."
Within the article, Forbes contributor Zak Doffman linked to an Oct. 29 tweet from a researcher named Tommy Mysk. So essentially, reader emails asking if they should "delete Google Chrome" led us to a piece from The Sun, then a story from Forbes, and finally the origins of the claim: a tweet.
In a video that was posted with the tweet, Mysk showed how to disable and block websites from accessing the motion sensors on Android phones:
According to a researcher's Twitter thread that was linked by Fast Company, the motion sensors on smartphones can be used by apps or websites to "gather information about your emotional state, heart rate, sleeping habits, and more."
iOS Concerns
No such toggle setting appeared to exist in Google Chrome on Apple's iPhone devices. However, Mysk previously published a story about motion sensor concerns for iOS, Apple's mobile operating system.
Mysk also noted that iPhone devices don't allow web browsers to use motion sensors without specified permission, which is asked in a prompt:
Discussion
A Twitter user replied to Mysk, claiming that the issue was being blown out of proportion:
Mysk responded with more data:
In the tweet, Mysk linked to a 2018 story from Wired.com that described the potentially dangerous nature of the entire issue:
That unapproved access to motion, orientation, proximity, or light sensor data alone probably wouldn't compromise a user's identity or device. And a web page can only access sensors as long as a user is actively browsing the page, not in the background.
But the researchers note that on a malicious website, the information could fuel various types of attacks, like using ambient light data to make inferences about a user's browsing, or using motion sensor data as a sort of keylogger to deduce things like PIN numbers.
Other users also chimed in to say it appeared to not be the critical issue it was made out to be, while others thanked Mysk for the information.
Google's Statement
We reached out to Google with questions about the motion sensor concerns and the "delete Google Chrome" messages. In response, they shared a link to data about an API permission change in 2019 that allowed users to disable and block motion sensor usage by websites. They also sent this statement about that change:
We intentionally limit the resolution of motion sensors in Chrome, and since 2019 we've had controls that allow users to block websites from accessing a device's motion sensors altogether.
We take user security and privacy seriously, and we're always working on new ways to improve security and privacy in Chrome.
Expert Opinion
We also contacted experts in the field. Kevin Dunne, president at Pathlock, advised that Android users should take this development seriously:
In the case of this most recent finding about Chrome tracking motion sensor activity in Android, I think it highlights the major concern that Google has influence over both the OS (Android) and App (Chrome), allowing for more uncertainty around how end user data is being shared, and who it is being shared with.
Google has historically had a laxer policy when it comes to privacy, mostly because Google relies on ads as its top source of revenue. Ads are more effective and command higher prices when they are more targeted, and more information about the user can provide greater targeting. Google's ownership of the OS and App has allowed it to avoid the negative impacts other ad networks (like Facebook and Snapchat) have faced due to recent changes by Apple in its iOS.
In general, users browsing on Chrome via an Android device should consider the risks and determine their risk appetite. In general, users who are most concerned with privacy should probably shift to an iOS device, where privacy is built in, and permissions are more "opt-in" rather than "opt-out". Users who still have concerns but are less privacy conscious could consider a more secure browser like Brave but should note that Google might be collecting information from other apps on the phone they control as well (eg. Gmail). In general, motion and location data are some of the most dangerous to have leaked, because they can provide attackers a way to easily locate a device and therefore its user. So, users should treat the potential of data compromise seriously.
Readers with Android phones are free to disable and block motion sensors in the browser app if they choose to do so. Steps to accomplish this were shown in the video in this tweet.